Closed
Bug 909188
Opened 11 years ago
Closed 11 years ago
Allowing non-image in <img src> tag
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
VERIFIED
INVALID
People
(Reporter: KirbyFCF2, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 (Beta/Release) Build ID: 20130511120803 Steps to reproduce: A person posted a message to a forum (the message has since been removed so I can't link to it). The message contained the following html: <img src="http://forums.thedailywtf.com/logout.aspx"> Actual results: Any time someone went to the page containing that message, the code in "logout.aspx" was executed and the person was logged out of the forum. Expected results: The <img src> tag does not contain a valid image and should be ignored. Or something. Firefox certainly shouldn't be executing code in an image tag. What if the code contained something more malicious that just logging off?
Comment 1•11 years ago
|
||
We can't know if it's an image before loading the URL.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Component: HTML: Parser → DOM: Core & HTML
OS: Windows 7 → All
Hardware: x86_64 → All
Resolution: --- → INVALID
Version: 21 Branch → Trunk
Comment 2•11 years ago
|
||
Indeed. The fact that the forum uses a GET for logout is just daft. :( And there's no way we can protect against it on our end, as Ms2ger points out.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•